CVE-2026-43582
Analyzed Analyzed - Analysis Complete
Server-Side Request Forgery in OpenClaw via DNS Rebinding

Publication date: 2026-05-06

Last updated on: 2026-05-07

Assigner: VulnCheck

Description
OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allows attackers to bypass hostname validation through DNS rebinding attacks. Attackers can exploit inconsistent hostname resolution between validation and actual network requests to pivot to internal resources via unallowlisted hostname URLs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-07
Generated
2026-05-27
AI Q&A
2026-05-07
EPSS Evaluated
2026-05-25
NVD
CVE-2026-43582
EUVD
EUVD-2026-28176
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.4.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in OpenClaw versions before 2026.4.10 and is a server-side request forgery (SSRF) issue related to the browser navigation policy.

Attackers can bypass hostname validation by exploiting DNS rebinding attacks, which take advantage of inconsistent hostname resolution between the validation process and the actual network requests.

This allows attackers to pivot to internal resources by using URLs with hostnames that are not on the allowlist.


How can this vulnerability impact me? :

The vulnerability can allow attackers to bypass hostname validation and access internal resources that should be protected.

This could lead to unauthorized access to internal systems or data by leveraging the SSRF vulnerability through DNS rebinding.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify how the CVE-2026-43582 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.


What immediate steps should I take to mitigate this vulnerability?

To mitigate the CVE-2026-43582 vulnerability, you should upgrade OpenClaw to version 2026.4.10 or later, as these versions include a fix that tightens the browser's hostname navigation policy to prevent unauthorized host navigation.

  • Upgrade OpenClaw to version 2026.4.10 or later.
  • Ensure that hostname navigation is restricted to explicitly allowlisted hostnames or IP literals.
  • Apply the patch that routes Chrome DevTools Protocol (CDP) HTTP discovery through the pinned SSRF fetch path to enforce stricter security controls.

These steps prevent attackers from exploiting DNS rebinding attacks to bypass hostname validation and pivot to internal resources.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart